DEC. 12. 2005 7:37PM ZILKA-KOTAB, PC 

-24- 



NO. 1293 P. 31 



REMARKS 

Claims 1-3, 5, 17-19, 21, 33-35, 37, 49-51, 53, 65-67, 69, 81-83 and 85 stand 
rejected under 35 USC §102 as being anticipated by Cozza (U.S. Patent 5,649,095). 
Applicant respectfully disagrees with such rejection, particularly in view of the 
amendment made hereinabove. Specifically, the subject matter of Claims 4, 10 and 13 et 
aL has been incorporated into each of the independents claims, along with any 
intervening claims. 



With respect to the subject matter of former Claim 10 et al. (now incorporated 
into each of the independent claims), the subject matter of such claim is rejected under 35 
USC §103 as being unpatentable over Cozza as previously applied to applicants' 
independent claims and further in view of HyppSnen (U.S. Patent 6,577,920). 
Specifically, the Examiner relies on the excerpt from Cozza below to meet applicant's 
claimed technique '"wherein said fingerprint data includes a number of program resource 
items specified within said resource data" (see this or similar, but not necessarily 
identical language in each of the independent claims), 



"The simplest method to accomplish this is to look for a. 
predetermined string of hexadecimal bytes, the presence of which 
indicates a specific virus infection." (see col. 1, lines 63-S5) 

U A third example involves the nature of multi-fork file storage 
on computers such as the Apple Macintosh, Typically one fork of a 
file, for example the resource fork on Macintosh computers, may 
contain a kind of small database which is used to contain many 
kinds of data, including application code, icons, preferences, 
strings, templates, and other such items. A change in size to 
such a fork may not indicate a change to application code, but 
rather a change to something else such as user preferences. It is 
therefore necessary to handle this complexity in a proper manner 
so as to voptimize speed enhancement without compromising scan 
effectiveness," (see col. 2, paragraph 7) 

The Examiner goes on to argue that "the combination of Cozza and Hypponen 
disclosed the signature including multiple resource items." First, Hypponen merely 
discloses generating fingerprint data for a macro file. Further, the above excerpt merely 
discloses exemplary resource data. 
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Simply nowhere in either of the references is there even a suggestion of a number 
of program resource items specified within resource data, as claimed. Only applicant 
teaches and claims including, in a fingerprint, a number of program resource items within 
resource data. By this design, such number may be used to enhance the efficiency or 
overall effectiveness of the scanning when the fingerprint data is compared with 
fingerprint data of known computer program. 



Still yet, with respect to the subject matter of former Claim 13 et aL (now 
incorporated into each of the independent claims), the subject matter of such claim is 
rejected under 35 USC §103 as being unpatentable over Cozza as previously applied to 
applicants' independent claims and further in view of Hypponen (U.S. Patent 6,577,920). 
Specifically, the Examiner relies on the excerpt from Cozza below to meet applicant's 
claimed technique "wherein said fingerprint data includes a flag indicating which data is 
included within said fingerprint data" (see this or similar, but not necessarily identical 
language in each of the independent claims). 



"The process for scanning each file in a volume will now be 
described with reference to FIGS. 4A through 4E. In this process 
two sets of flags are used- The first is in memory and is used to 
determine the viruses for which a particular file needs to be 
scanned during the current virus scan. For this set of flags the 
system utilizes a bit field large enough so that there is one bit 
corresponding to every known Macintosh virus. Currently the 
number of Macintosh viruses is less than SO. Therefore, a 
bitfield of 12 8 bits (or 4 longwords) in length is adequate to 
handle current viruses and those that will appear for some time 
to come. This field could be enlarged as needed. Bits in this 
bitfield are turned on in steps 68, 76, and 90, which are 
described below, to indicate the viruses for which the system 
scans in a particular file, as also described below in connection 
with steps 90 and 94. 

The second set of flags resides in the cache information (see 
PIG. 5) . One longword of memory is generally adequate for this. A 
value of zero in this longword would indicate that no virus was 
found previously in the last scan of the file. As described 
below, this flag is set in step 102. If a virus was found in the 
last scan of this file, then 3 bytes in this longword can be used 
to indicate which virus was found first in the file. The 
remaining 8 bits can be used to indicate whether (1) one or more 
viruses which change resource fork lengths were found in the last 
scan of this file, (2) one or more viruses which change data fork 
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lengths were found in the last scan of this file, and (3) whether 
multiple viruses were found in the last scan of this file. Other 
bits could be used to indicate whether a virus which does not 
change fork size was found in the last scan of this file, etc. 
These other indications, however, are not necessary. The setting 
of this set of flags will be more fully described below in 
connection with step 98. n (see col. 5, paragraph 3 et al.) 

The above excerpt, however, merely discloses a flag that identifies viruses to be 
scanned for during scanning, as well as scanning results. This is a paramount departure 
from applicant's technique "wherein said fingerprint data includes a flag indicating which 
data is included within said fingerprint data " (emphasis added), as claimed. Only 
applicant teaches and claims such a specific flag in fingerprint data , which specifically 
indicates which data is included within said fingerprint data . By this feature, such 
information maybe used to enhance the efficiency or overall effectiveness of the 
scanning when the fingerprint data is compared with fingerprint data of known computer 
program. 

To establish a prima facie case of obviousness, three basic criteria must be met. 
First, there must be some suggestion or motivation, either in the references themselves or 
in the knowledge generally available to one of ordinary skill in the art, to modify the 
reference or to combine reference teachings. Second, there must be a reasonable 
expectation of success, Finally, the prior art reference (or references when combined) 
must teach or suggest all the claim limitations, The teaching or suggestion to make the 
claimed combination and the reasonable expectation of success must both be found in the 
prior art and not based on applicant's disclosure. In re Vaeck,947 F.2d 488, 20 USPQ2d 
1438 (Fed.Cir.1991), 

Applicant respectfully asserts that at least the third element of the prima facie 
case of obviousness has not been met, since the prior art references, when combined, fail 
to teach ox suggest all of the claim limitations, as noted above. A notice of allowance or 
a specific prior ait showing of all of applicant's claim limitations, in combination with 
the remaining claim elements, is respectfully requested. 
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Thus, all of the independent claims are deemed allowable. Moreover, the 
remaining dependent claims are farther deemed allowable, in view of their dependence 
on such independent claims. 

In the event a telephone conversation would expedite the prosecution of this 
application, the Examiner may reach the undersigned at (408) 505-5100. The 
Commissioner is authorized to charge any additional fees or credit any overpayment to 
Deposit Account No. 50-1351 (Order No. NAI1P467/00. 177.01). 
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